FEATURED: IT Networking or IT Security

Recently, while building a switch configuration, I began to think about security at a very “basic” level. Not the security of keeping everyone from nasty professional hackers to ‘script-kiddies’ out in the first place, more the security of keeping “unwanted” traffic from management interfaces and administrative CLI’s. That thought quickly spiraled out of control .

As administrators we are all thinking about our network security on a regular basis but the rabbit hole I seem to have gone down reaches all the way from the ‘nuts and bolts’ of username xyz password a1b2c3$x into the realm of administrative VLAN’s, telnet vs. ssh vs. dsa/rsa keys, access restrictions, user/change tracking, etc., well inside the edge where security is a top concern.

A simple would be a single switch for a small office; you give it some network settings (STP, VLANs, port types, hostname and IP) and set a few passwords (console, tty and enable). A bit of documentation so you remember where it’s at and what it’s called and your done, right? Given the situation that this equipment is in your own internal environment, with no DMZ interaction, neither public networking nor non-administrators would have access or overt knowledge of this back-end, there’s probably a felling of “low risk”. As a matter of fact, I’m pretty sure there are a majority of office networks set up in this fashion. Admin’s have passwords and device IPs for switches and routers, users don’t, and that’s probably sufficient… or is it?

What if we change scenario a bit, for example when adding a new office. With 12 or 15 switches on the access layer, 3 more at the distribution layer and some gear at the core (firewalls, routers, ISP gateway), how would you design the security and manage all of these setups?

Is there a “complexity” or a “size” where it’s OK to manage an infrastructure using just the inside IP range or do you always limit management access to a small subset of IP’s or a single VLAN. Do you have a “master password” or a “common keychain” for the network in a small or remote office, or is every device different requiring something the likes of a password database and dedicated TACACS/RADIUS services to manage just a few switches? Is an http interface on the inside network of a switch good enough or does it need to be https on the management vlan only with a secure keypair? Do you just limit your hardware to console ONLY?

When I look back at these questions I see more and more questions cropping their ugly little heads up. Things like, how to document, manage changes or where to draw the “line of best fit” to keep the ability to troubleshoot remotely (good if your 6 hours away by air). The sheer amount of options quickly multiplies into a very large pile of “what’s best for this situation”.

So, assuming a medium size network with edge, core, distribution and access layers, what would be the de-facto best practice for network device setup? Aside from the obvious “don’t use telnet” or “don’t allow management connections trough the firewall unrestricted” are there things we all do to keep the infrastructure safe?

One paradigm I've always liked is having your management interfaces on the switches connected to a dedicated LAN. A simple switch does a fine job. Then disable all other access to the switch. Finally, setup a firewall/router on the management LAN that only accepts VPN connections and then, only from IPs/MACs on the production network that are known management workstations.
Remote management is done via VNC/RDP to a management workstation. And there is your security problem as well. If someone compromises a management workstation, it's possible they may also get to your network hardware as well. You would need to do a good job of securing those stations.

Help the community by fixing grammatical or spelling errors, summarizing or clarifying the solution, and adding supporting information or resources. Always respect the original author.

Popular White Paper On This Topic

One paradigm I've always liked is having your management interfaces on the switches connected to a dedicated LAN. A simple switch does a fine job. Then disable all other access to the switch. Finally, setup a firewall/router on the management LAN that only accepts VPN connections and then, only from IPs/MACs on the production network that are known management workstations.
Remote management is done via VNC/RDP to a management workstation. And there is your security problem as well. If someone compromises a management workstation, it's possible they may also get to your network hardware as well. You would need to do a good job of securing those stations.

William i agree with you that there is need to work on security. but one has to note that hackers are intelligent as they work around the clock to break in your firewalls and that being the case everyday one has to improve security on daily basis to avoid setbacks.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.